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FOREWORD 


1.  The  “National  Policy  for  the  Security  of  National  Security  Telecommunications  and  Information  Systems,” 
signed  by  the  President  on  July  5,  1990,  mandates  the  development  and  implementation  of  a  comprehensive 
approach  to  national  security  telecommunications  and  automated  information  systems  security.  It  is  recognized 
that  the  community  of  information  systems  security  (INFOSEC)  professionals  has  evolved  beyond  the  need  for 
cross-training  (i.e.,  communications  security  to  computer  security  and  vice  versa),  into  a  more  global  concern  for 
the  development  of  a  common  body  of  knowledge.  This  directive  is  issued  in  response  to  those  requirements  for 
the  training  of  INFOSEC  professionals. 

2.  Representatives  of  the  National  Security  Telecommunications  and  Information  Systems  Security 
Committee  may  obtain  additional  copies  of  this  directive  from: 

Executive  Secretariat 

National  Security  Telecommunications  and 
Information  Systems  Security  Committee 
National  Security  Agency 
Fort  George  G.  Meade,  MD  20755-6000 

3.  U.S.  Government  contractors  are  to  contact  their  appropriate  government  agency  or  Contracting  Officer 
Representative  regarding  distribution  of  this  document. 
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NATIONAL  TRAINING  PROGRAM  FOR 
INFORMATION  SYSTEMS  SECURITY  (INFOSEC)  PROFESSIONALS 


SECTION  I -  PURPOSE 

1.  This  directive  establishes  the  requirement  for  federal  departments  and  agencies  to  implement  training 
programs  for  information  systems  security  (INFOSEC)  professionals.  For  the  purpose  of  this  directive,  an 
INFOSEC  professional  is  an  individual  who  is  responsible  for  the  security  oversight  or  management  of  national 
security  systems  during  each  phase  of  the  life  cycle. 

SECTION  II  -  SCOPE  AND  APPLICABILITY 

2.  This  directive  is  applicable  to  all  departments  and  agencies  of  the  U.S.  Government,  their  employees,  and 
contractors  who  are  responsible  for  the  security  oversight  or  management  of  national  security  systems  during  each 
phase  of  the  life  cycle. 


SECTION  III  -  AUTHORITIES 

3.  P.L.  100-235,  Computer  Security  Act  of  1987,  dated  January  8,  1988,  requires  mandatory  periodic  training 
for  all  persons  involved  in  management,  use,  or  operation  of  federal  computer  systems  that  contain  sensitive 
information. 

4.  National  Policy  for  the  Security  of  National  Security  Telecommunications  and  Information  Systems,  dated 
July  5,  1990,  mandates  the  development  and  implementation  of  a  comprehensive  approach  to  national  security 
telecommunications  and  automated  information  systems  security. 

5.  NSTISSI  No.  4009,  National  Information  Systems  Security  (INFOSEC)  Glossary,  dated  5  June  1992. 

SECTION  IV  -  DEFINITIONS 

6.  The  following  definitions,  applicable  to  this  instruction,  are  contained  in  NSTISSI  No.  4009,  and  are  listed 
below  for  information  purposes: 

a.  Information  systems  security  (INFOSEC)  -  the  protection  of  information  systems  against  unauthorized 
access  to  or  modification  of  information,  whether  in  storage,  processing  or  transit,  and  against  the  denial  of  service 
to  authorized  users  or  the  provision  of  service  to  unauthorized  users,  including  those  measures  necessary  to  detect, 
document,  and  counter  such  threats. 

b.  Information  systems  -  any  telecommunications  and/or  computer  related  equipment  or  interconnected 
system  or  subsystems  of  equipment  that  is  used  in  the  acquisition,  storage,  manipulation,  management,  movement, 
control,  display,  switching,  interchange,  transmission  or  reception  of  voice  and/or  data,  and  includes  software, 
firmware,  and  hardware. 

c.  National  security  systems  -  those  telecommunications  and  automated  information  systems  operated  by  the 
U.S.  Government,  its  contractors,  or  agents,  that  contain  classified  information  or,  as  set  forth  in  10  U.S.C.  Section 
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2315,  that  involves  intelligence  activities,  involves  cryptologic  activities  related  to  national  security,  involves 
command  and  control  of  military  forces,  involves  equipment  that  is  an  integral  part  of  a  weapon  or  weapon  system, 
or  involves  equipment  that  is  critical  to  the  direct  fulfillment  of  military  or  intelligence  missions. 

d.  Telecommunications  -  the  preparation,  transmission,  communication,  or  related  processing  of 
information  (writing  images,  sounds  or  other  data)  by  electrical,  electromagnetic,  electromechanical, 
electro-optical,  or  electronic  means. 

e.  Telecommunications  and  automated  information  systems  security  -  protection  afforded  to 
telecommunications  and  automated  information  systems,  in  order  to  prevent  exploitation  through  interception, 
unauthorized  electronic  access,  or  related  technical  intelligence  threats,  and  to  ensure  authenticity.  Such 
protection  results  from  the  application  of  security  measures  (including  cryptosecurity,  transmission  security, 
emission  security,  and  computer  security)  to  systems  that  generate,  store,  process,  transfer,  or  communicate 
information  of  use  to  an  adversary,  and  also  includes  the  physical  protection  of  technical  security  material  and 
technical  security  information. 

SECTION  V  -  RATIONALE  AND  OBJECTIVES 

7.  Technology  that  supports  national  security  systems  continues  to  be  enhanced.  Integration  of 
telecommunications  and  automated  information  systems  is  commonplace,  often  obscuring  what  was  once  two 
distinct  disciplines.  The  telecommunications  manager’s  reliance  on  automated  information  systems  will  continue 
to  increase  just  as  will  the  automated  information  systems  manager’s  reliance  upon  telecommunications.  As  the 
degree  of  overlap  fluctuates  between  the  two,  understanding  operational  requirements  becomes  more  difficult.  A 
sharing  of  knowledge  between  the  two  disciplines  will  ensure  that  the  requirements  of  both  are  fully  addressed. 

8.  The  objective  of  this  directive  is  to  require  the  implementation  of  a  training  program  to  provide  INFOSEC 
professionals  with  a  common  body  of  knowledge  encompassing  both  communications  security  and  computer 
security.  Persons  who  are  responsible  for  the  security  oversight  or  management  of  national  security  systems, 
without  a  basic,  yet  broad  perception  of  both  disciplines,  place  the  systems  at  risk. 

SECTION  VI  -  INFOSEC  TRAINING 

9.  INFOSEC  is  multidisciplinary  in  nature,  requiring  a  wide  spectrum  of  knowledge  such  as  operations 
security,  emanations  security,  physical  security,  personnel  security  and  related  security  areas.  Recognizing  the 
convergence  of  traditional  telecommunications  and  automated  information  systems  technology  and  their  growing 
interdependence,  it  is  necessary  to  ensure  that  the  work  force  makes  this  transition.  Basic  INFOSEC  awareness, 
training,  and  education  are  security  countermeasures. 

SECTION  VII  -  RESPONSIBILITIES 

10.  The  heads  of  federal  departments  and  agencies  will: 

a.  Implement  an  INFOSEC  training  program  as  part  of  the  overall  training  program,  in  accordance  with 
agency  or  department  specific  requirements,  following  the  minimum  course  content. 
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b.  Ensure  that  INFOSEC  professionals  are  trained  in  a  common  body  of  knowledge  as  outlined  by  the 
National  Manager. 

c.  Require  contractors  to  comply  with  the  provisions  of  this  directive  when  they  are  responsible  for  the 
security  oversight  or  management  of  national  security  systems,  operated  by  or  on  behalf  of  the  Federal 
Government.  For  contractors,  the  terms  of  the  contract  shall  specify  this  requirement. 

11.  The  National  Manager  will: 

a.  Develop  and  define  minimum  training  standards  for  an  INFOSEC  training  program. 

b.  Provide  minimum  training  standards  for  an  INFOSEC  program  to  federal  departments  and  agencies,  to 
include  their  contractors. 

c.  Ensure  that  appropriate  INFOSEC  training  course(s)  are  developed  and  include  policies,  standards, 
criteria,  products,  and  technologies  that  result  from  federal  or  federally  sponsored  efforts. 

d.  Assist  other  federal  departments  and  agencies  in  developing  and/or  conducting  INFOSEC  training 
activities,  as  requested. 
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DISTRIBUTION: 

NSA 

NSC 

OMB  (Intel  Branch  NSD) 

OASD  (C3I/TS)  (2) 

ODASD  (Cl  &  SCM) 

DODSI 

DA  (SAIS-ADS)  (15) 

CNO  (OP941J)  (3) 

CMC  (CC)  (5) 

COMJSOC  (J62) 

The  Joint  Staff  (J6X)  (2) 

The  Joint  Staff  (DIRM/SCD/ISOB) 
USCINCLANT  (J6)  (2) 
USCINCCENT  (CCJ6)  (4) 
USCINCEUR  (ECJ6)  (2) 
CINCFOR  (FCJ6)  (2) 
USCINCPAC  (J6)  (2) 

USCINCSO  (SCJ6)  (2) 
USCINCSPACE  (J4-J6)  (2) 
USCINCSOC  (SOJ6)  (2) 
USSTRATCOM  (2) 
USCINCTRANS  (TCJ6)  (2) 
TIC/DSS  (2) 

HQ  USAF  (SCXX)  (3) 

HQ  USAF  (SCS  (3) 

AFCSC  (SRMP)  (10) 
AFCSC/SRVT 
COMUSFJAPAN  (J6)  (2) 

Defense  Courier  Service  (2) 

DIA  (DSE-2B)  (10) 

DIS  (V0432)  (5) 

DIS  (V0060) 

DEA  (DLA-IA)  (2) 

DNA  (LECD) 

CDR  JIEO 

COMDT  COGARD  (G-TTS-4)  (3) 

COMCOGARDLANTAREA 

COMCOGARDPACAREA 

COMCOGARDONE 

COMCOGARDTWO 

COMCOGARDFIVE 

COMCOGARDSEVEN 

COMCOGARDEIGHT 

COMCOGARDNINE 
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COMCOGARDELEVEN 
COMCOGARDTHIRTEEN 
COMCOGARDFOURTEEN 
COMCOGARDSEVENTEEN 
COMSPAWARSYSCOM  (PMW  151)  (3) 
DCMS  (TD)  (2) 

CG  MCDEC  (DEVCEN  C3)  (2) 

Dept,  of  Agriculture  (MSD/FAS)  (2) 

Dept,  of  Commerce  (OIRM/TMD)  (2) 

Dept,  of  Energy  (AD241.1)  (2) 

Dept,  of  Health  &  Human  Services  (IG)  (2) 
Dept,  of  Interior  (PPS-S  MS5040  MIB)  (2) 
Dept,  of  Justice  (JMD/SEPS)  (2) 

Dept,  of  State  (DS/CMI/ISS)  (5) 

Dept,  of  State  (SA-34,  DTS-PO) 

Dept,  of  Transportation  (OIS  M-70)  (2) 

Dept,  of  Treasury  (MST)  (10) 

CIA  (OC-CSD)  (2) 

CIA  (DIR  OIT)  (2) 

CIA  (ISSG/OS)  (2) 

CIA  (Chief,  TEMPEST  Division,  (OS)  (2) 

CIA  (Chief  INFOSEC  OIT) 

CIA  (Reference  Library) 

DIR,  IC  STAFF  (IIHC)  (2) 

DIR,  IC  STAFF  (CCISCMO)  (2) 

DIR,  IC  STAFF  (Policy  and  Planning  Staff)  (2) 
DISA  (Code  DIPP)  (5) 

DMA  (TSC) 

DMA  (IS) 

Drug  Enforcement  Administration  (OSTC)  (2) 
FAA  (ACO-300)  (6) 

FBI  (TSD)  (5) 

FCC  (OMD)  (2) 

FEMA  (NP-IR)  (7) 

GSA  (KVI)  (6) 

NASA  (JIS) 

NASA  (OS)  (2) 

NASA  (JT) 

NCS  (MGR)  (2) 

NRC  (8203-MNBB)  (3) 

USDELMC  (INFOSEC  REP) 

U.S.  Customs  Service  (65) 

WHCA 
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